Device Access SCEP certificates
You can set up Device Access Simple Certificate Enrollment Protocol (SCEP) certificates for macOS. These certificates deploy with your mobile device management (MDM) software. The certificates are used to grant access to specific API endpoints and to identify the device making the calls.
Certificates set up for Device Access aren't used to attest to the management status of a device. See Configure a Certificate Authority for more information about management attestation.
Device Access SCEP certificates are required to use Desktop Password Sync on devices running macOS 14 Sonoma and later. See Configure Desktop Password Sync for macOS 14 .
Device Access SCEP certificates are separate from SCEP certificates used for managed device attestation, and are a required component of Okta Device Access.
On this page
Configure Okta as a CA for Device Access
There are three different ways that you can configure Okta as a Certificate Authority (CA) for Okta Device Access:
-
Okta as a CA with static SCEP
-
Okta as a CA with dynamic SCEP
-
Okta as a CA with delegated SCEP
The configuration of each certificate follows the same processes as configuring Okta as a CA for device management. While following the appropriate process for your org, make the following two minor changes to allow the CA to be used specifically for Device Access:
-
In the Admin Console, go to .
-
Click the Device Access tab instead of the Endpoint management tab.
-
When creating the SCEP profile in Jamf Pro, set the Level of the SCEP profile to Computer Level instead of User Level.
Follow the appropriate process for your org and operating systems:
-
Configure Okta as a CA with static SCEP challenge for macOS with Jamf Pro
-
Configure Okta as a CA with dynamic SCEP challenge for macOS with Jamf Pro
-
Configure Okta as a CA with delegated SCEP challenge for macOS using MEM (formally Intune)
Click the Device Access tab to configure the Certificate Authority for Device Access, and remember to set the SCEP profile to Computer Level in your MDM.
Use your own Certificate Authority for Device Access
You can use your own Certificate Authority for Device Access.
-
In the Admin Console, go to .
-
Click the Certificate Authority tab.
-
Click Add certificate authority.
-
Select the Device Access radio button.
-
Click Browse files and then select the appropriate certificate file to upload. Okta uploads certificates automatically, and a message appears if the upload was successful. To view details about the certificate, click View root certificate chain details.
-
Click Save.
Using your own Certificate Authority for Device Access follows the same process as using your own CA for device management. Follow the process outlined in Use your own certificate authority for managed devices. Three minor changes are required for you to use the CA specifically for Device Access:
-
Before you upload the certificate to Okta in the Admin Console, select Device Access.
-
In your MDM, ensure that the certificate is deployed at the Computer Level.
-
You can skip the steps that discuss endpoint management.
After the certificate is uploaded, add a custom certificate extension on issued client certificates on SCEP to ensure that Device Access can locate and select the correct certificate. Add the following values to the certificate extension:
-
Extension OID: 1.3.6.1.4.1.51150.13.1
-
Extension value: 1 (integer)
The format of the certificate extension varies depending on your CA provider. Refer to your provider's documentation for the appropriate format to use. The following example is a custom extension certificate profile for DigiCert:
{
"oid": "1.3.6.1.4.1.51150.13.1",
"critical": true,
"template": {
"type": "INTEGER",
"value": "1"
}
}If you configured Okta as the Certificate Authority for Device Access, Okta completes this step for you.
Verify the certificate deployment
After the CA is set up and the certificates deployed, verify that the certificates have been deployed to your org's desktop devices as expected.
-
On a macOS device managed by Jamf Pro, open .
-
Click Keychain and then click System.
-
Confirm that the client certificate and the associated private key exist.
-
Verify that a custom extension with OID 1.3.6.1.4.1.51150.13.1 is present on the client certificate.
If you're unable to verify that the certificate was deployed with the required settings, review the task steps. Ensure that you select Device Access in the Okta Admin Console and that the certificates are set at computer level in your MDM.